Question

Virus blocked access to microsoft.com and antivirus websites.

Asked by: twcadmin

I have a windows XP computer that didnt have protection and after a scan using avast, malwarebytes, hijackthis, and superantispyware, I found many threats that were removed successfully. I then upgraded to SP3. The remaining problems are windows update service keeps crashing, and I can't access the typical sites related to removing an infection, such as microsoft.com, windows update, and updates cant be downloaded by the various antivirus/antispyware programs but I can get to miscellaneous websites such as google.com.

My questions are, without repairing the OS install, how might I go about repairing this. More important, what would still be causing this if the infection is removed? I'm interested in the details of what files or settings would be hooking into the connection to these sites and be denying the connection?

The only thing I could think of was hijacked DNS settings but I verified that the correct DNS server is being used.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-09-27 at 20:09:54ID24765906
Topics

Desktop Anti-Virus

,

Anti-Spyware

,

Proxy/Firewall Anti-Virus

Participating Experts
4
Points
500
Comments
13

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Virus Infection?
    I have a pc running XP Pro SP2 which is acting up. It is impossible to make hidden files and folders visible. Most spyware and Antivirus software either hangs or refuses to start and some other programs will not start. I am fairly sure that there is or has been a virus causi...
  2. Trojan Virus infection
    Infected with Radim Hook. I cant seem to get rid of it. I have tried Hijack this and Webroot spysweeper. It keeps coming back. My gut tells me its in registry. Can anyone advise on how to get rid of this particular virus. Thanks in advance.
  3. Virus infected windows files.
    I am working on removing a virus infection from a windows XP home computer. It started with spyware and the typical popups. I have removed everything I can find, but Trend Micro keeps finding a virus it calls PE_PATCHEP.A It is infecting lsass.exe, services.exe, spoolsv.ex...
  4. Spyware Infection, Virus Infection, Browser Hijack, Help!
    Hi, I am here once again. This time I have multiple problems on my XP computer that I cannot even begin to fix. Even though I can get some connectivity on the XP computer, I am connecting to experts exchange and doing all my writing from another computer (Vista computer) th...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: The_Computer_GuyPosted on 2009-09-27 at 20:18:09ID: 25436581

I recommend downloading smitfraudfix, combofix, and vundofix. I can upload them to a public folder for you so you can download them.

All must be ran in safe mode, and restart between each scan. Give me 5 minutes.

 

by: twcadminPosted on 2009-09-27 at 20:22:57ID: 25436595

Unfortunately, I get a blue screen when I try to boot into safe mode. This may have been corrected after I installed SP3 so I will check.

 

by: The_Computer_GuyPosted on 2009-09-27 at 20:25:12ID: 25436604

You can try them in standard mode, but they might not get everything. I will also look into your blue screen issue.

 

by: The_Computer_GuyPosted on 2009-09-27 at 20:30:15ID: 25436617

 

by: optomaPosted on 2009-09-28 at 00:54:04ID: 25437385

Its possible that there still is a DNS changer resident somewhere.

Scan your system with this live cd firstly
Kaspersky live cd http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/

Could you attach your hijackthis log through "attach file" section to be checked out.

Also combofix should be ran in Normal Mode, once applicable.
The following link provides all instructions on using combofix and its downloading sources
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

by: rpggamergirlPosted on 2009-09-28 at 01:50:23ID: 25437620

When using Combofix as already suggested, attach the log here for us to check to make sure it's clean as Combofix won't automatically removed all bad files in its first run.

 

by: SSharmaPosted on 2009-09-28 at 05:37:33ID: 25438777

Hi twcadmin,

You could also check the host file of your windows xp operating system. Here is full path of it:
C:\WINDOWS\system32\drivers\etc
or
C:\WINNT\system32\drivers\etc

You would find the file named "hosts" there, it would be read-only mode so you would have to check the properties of it and open it using notepad or wordpad. check the entries against domain name/URL with 127.0.0.1. Typically there would be one like below:
127.0.0.1       localhost

You could remove the rest, unless you have some specific entries. Then you could try the windows update sites and other sites. Hope this would help.

 

by: twcadminPosted on 2009-09-28 at 10:27:59ID: 25441294

Thanks everyone for your suggestions, I am currently downloading the live cd and putting the other utilities on USB drive. I will be able to compile something this evening to post back along with a hijackthis and combofix log!

Just as an added note, I found that when I first tried using my flash drive to transfer utilities to the infected pc, it was putting malicious files on my USB drive. When I plugged it back into my source computer, Symantec Endpoint Protection found and removed the infected files on the flash drive. It no longer infects my flash drive since that specific infection was removed from the client using Avast.

 

by: twcadminPosted on 2009-09-28 at 10:30:43ID: 25441319

I have also checked the hosts file already since that was my first guess. Thanks

 

by: twcadminPosted on 2009-09-29 at 17:34:24ID: 25454717

Latest update,

Flash drive is being infected again, possbily by virut or vundo from what i'm reading. Somehow Avast isn't catching it eventhough it has the latest definitions. I reinstalled windows installer, manually installed windows update service which caused it to stop crashing. chkdsk /r is recovering a bunch of files as we speak. I'm guessing the drive is starting to fail as well.


VundoFix found nothing

SmitfraudFix detected and fixed nothing

Could not run ComboFix since its keeps saying its infected and I have to redownload

Computer would not boot to Kapersky LiveCD for some reason. Its a Dell computer so I pressed F12 to show the boot menu and chose IDE CD Rom but it still didnt boot to CD. I verified that the cd does boot on a different computer so the CD is good. I cant even boot from my windows xp cd.

I downloaded the AVG Virut removal tool - http://www.avg.com/virus-removal.ndi-67762

It ran upon the next boot and apparently had to clean a bunch of random files

 

by: The_Computer_GuyPosted on 2009-09-29 at 17:43:43ID: 25454754

burn the fixes to a CD then run them.

You could also pull the hard drive and attach it as a slave to another computer and scan it that way. Since that windows installation will not be running, there is little risk in attempting this method.

 

by: optomaPosted on 2009-09-29 at 17:54:23ID: 25454790

Be careful if it is VIRUT. Very nasty.
Disconnect any machine from the network which has been in contact with that usb drive. Virut will latch on to .exe files among others.
Depending on the extent of the damage, a wipe n reinstall is probably your only choice--Thats If it is a Virut infection

You can use Dr Web Live Cd to scan any infected machines and scan the usb drive(or bin it if not expensive)
http://www.freedrweb.com/livecd

Read these
http://www.f-secure.com/v-descs/virus_w32_virut.shtml
http://www.avast.com/eng/win32-virut.html

 

by: twcadminPosted on 2009-09-30 at 09:46:48ID: 25460747

Thank you everyone for your help cleaning up everything else but I cant boot from cd or view any files from the cd rom within the OS on this persons computer(assuming failed or malfunctioning cdrom). I can no longer dedicate time to figure out how to remove or repair the installation so I recommended a new computer becuase this was was fairly old and the HD seems to be failing as well. I have just opened a new question regarding the effects of VIRUT. Look for the question "Nasty VIRUT virus" if you're interested.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...